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The no-go theorem of unconditionally secure quantum bit commitment depends crucially on the 
assumption that Alice knows in detail all the probability distributions generated by Bob. We show 
that if a protocol is concealing, then the cheating unitary transformation is independent of any 
parameters (including probability distributions) secretly chosen by Bob, so that Alice can calculate 
it without knowing Bob's secret choices. Otherwise the protocol cannot be concealing. Our result 
shows that the original impossibility proof was based on an incorrect assumption, despite the fact 
that its conclusion remains valid within the adopted framework. Furthermore, our result eliminates 
a potential loophole in the no-go theorem. 
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The security of quantum bit commitment (QBC) 
is an important issue in quantum cryptography be- 
cause QBC is a primitive which can be used as the 
building block of other important two-party crypto- 
graphic protocols T|. 

A QBC protocol involves two parties customarily 
named Alice and Bob. Alice secretly commits to a 
bit h (0 or 1) which is to be revealed to Bob at a 
later time. In order to bind Alice to her commit- 
ment, the two parties execute a series of quantum 
and/or classical procedures, so that at the end of 
the commitment phase. Bob is in possession of a 
quantum mechanical state IV'b^)- The idea is that, 
with additional classical information from Alice in 
the unveiling phase (when she unveils the value of 
h) , Bob can use | ?/;^^ ) to check whether Alice is hon- 
est. A QBC protocol is said to be binding if Alice 
cannot change her commitment or Bob will find out. 
Furthermore it is concealing if Bob can obtain no in- 
formation about the value of b before it is unveiled, 
which implies that the encoding density matrix 
of the state IV'^'') independent of the value of 6, 
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A QBC protocol is secure if and only if it is both 
binding and concealing. Moreover, if a protocol is 
secure even if Alice and Bob had unlimited compu- 
tational power, then it is said to be unconditionally 
secure. 

In 1997, Lo and Chau d and Mayers H || 
proved that unconditionally secure QBC is impossi- 



ble. In a nutshell, the proof goes as follows. It is ob- 
served that the commitment process, which may in- 
volves any number of rounds of quantum and classi- 
cal exchange of information between Alice and Bob, 
can always be represented by an unitary transforma- 
tion on some initial state \4>ab) in the combined 
Hilbert space Ha ® Hb of Alice and Bob: 
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Without loss of generality, we can take 



(2) 



and 



I^As) t*-" V^t:^ states. In this approach, Alice and 
Bob do not fix their undisclosed classical parameters 
in the commitment phase, but leave them undeter- 
mined at the quantum level instead. This is called 
quantum purification. In general it requires that Al- 
ice and Bob have access to quantum computers with 
unrestricted capacities, which is consistent with the 
assumption that they have unlimited computational 
power. 

Therefore instead of honestly following the origi- 
nal protocol, Alice can always follow a modified pro- 
tocol as described above, so that at the end of the 
commitment phase, there exists a pure state l^*^^) 
in Ha ® Hb ■ As long as the reduced density matrix 
on Bob's side is unchanged, i.e.. 
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Bob has no way of knowing what Alice has actually 
done. Then it follows from Schmidt decomposition 
theorem HH that. 
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where {|e^)}, {|e^)}, and {|V'b)} are orthonormal 
bases in the respective Hilbert spaces as indicated, 
and A"s are real coefficients. 

Notice that apart from the sets of bases {|e^)} and 

{\e'X)}, 1*^%) and 1"^%) are identical. Since {\e\)} 
and {|e^)} are related by an unitary transformation 
Ua acting on Alice's Hilbert space Ha only, we also 
have 

\^%)=Ua\^'aI,)- (6) 

The existence of Ua implies that Alice has a sure- win 
cheating strategy (called EPR attack): Alice always 
commits to 6 = in the beginning. Later on, if she 
wants to keep her initial commitment, she unveils as 
prescribed. However if she wants to switch to 6 = 1 
instead, she just needs to apply the unitary transfor- 
mation Ua to the particles in her control, and then 
proceeds as if she had committed to 6 = 1 in the first 
place. The crucial point is that, because of Eq. (Q), 
it is impossible for Bob to find out what Alice actu- 
ally did, and he would conclude that she is honest in 
either case. Hence if a QBC protocol is concealing, 
it cannot be binding at the same time. This is the 
conclusion of the "no-go theorem" of uncondition- 
ally secure QBC. 

Note that the no-go theorem only proves the exis- 
tence of the cheating unitary transformation Ua in 
a QBC protocol which is concealing, but there is no 
proof that Ua is always known to Alice. The point 
is, at the end of the commitment phase, the overall 
state [^^^^(w)) may depend on some unknown pa- 
rameter uj secretly chosen by Bob. If the reduced 
density matrix 

pfic.)^TrA\^^^U^)){¥^U^)\ (7) 

is independent of &, then in principle a cheating 
transformation C/4(aj) exists, so that 

|*WH>={/^H|v1/W(^)). (8) 

However without the knowledge of uj, Alice cannot 
calculate Ua{(^) by herself. As a result uncondition- 
ally secure QBC may be possible. This is a potential 
loophole of the no-go theorem. 

The no-go theorem emphasizes that one should 
purify all undisclosed classical variables in analyz- 
ing the security issues. Even so, the question re- 
mains: What if Bob is allowed to choose probability 
distributions secretly? To this question, the authors 
of the no-go theorem state that "In order that Al- 
ice and Bob can follow the procedures, they must 
know the exact forms of all unitary transformations 
involved" 0, |^ , and "It is a principle that we must 
assume that every participant knows every detail of 



the protocol, including the distribution of probabil- 
ity of a random variable generated by another partic- 
ipant" 0] . In other words the no-go theorem asserts 
without proof that in any QBC protocol the overall 
state 1^^^) cannot contain any unknown parame- 
ters. This assertion is in fact not correct, and it 
has caused confusion among researchers. Without 
clarifying this issue, the impossibility proof is not 
complete and the no-go theorem will continue being 
challenged 0. In any case, as long as it does not 
jeopardize the security of a protocol, there is no rea- 
son why a party has to disclose the values of any 
secret parameters he/she might have chosen in the 
commitment phase. 

To settle this issue, we prove the following theo- 
rem. The secret parameter lo will be taken to be a 
probability distribution, because in a fully quantum 
description, probability distributions are the only 
unknowns left. Except for the issue of secret pa- 
rameters, we shall stay within the QBC framework 
adopted by the no-go theorem. 

Theorem 1 If a QBC protocol is concealing, then 
the cheating unitary transformation is independent 
of any probability distributions (w's) secretly chosen 
by Bob. 

Proof If Bob is allowed to choose oj in secret, he 
can always postpone his choice with the help of a 
quantum computer. That means, instead of picking 
a particular w = Ui and keeping it secret, he can 
purify his choices with a probability distribution tt = 
{pi}. The resulting overall state is given by 

l<iW)=E^^I*AB(^0> IX.>, (9) 

i 

where {|xi)} is a set of orthonormal ancilla states in 
Bob's Hilbert space Hb- The new density matrix is 
given by 

4'')(7r)=Tr^|*l^i(vr))(<iW|. (10) 
Since the protocol is concealing, we have 

pfW-p'i^'W (11) 

for all possible tt. Consider the case where pi ^ 0, 
for all i. According to the no-go theorem there exists 
a cheating unitary transformation t/^, such that 

l*li]W>=C^Al<iW>- (12) 

It is easy to see that this same also transforms 
\^'^^g{uji)) to |*54s(wi)> for all possible w^, i.e., 

|*«(c^,)>=f/A l*i°k'^0>, Vu;,. (13) 
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The reason is that Bob can obtain |5'|^^(aji)) from 

collapsing the ancilla states {|xi)} on 
the right hand side of Eq. I^. Since U'^ acts on 
Alice's Hilbert space Ha only, it commutes with 
any operations executed on Bob's Hilbert space 
Hb- Consequently Eq. (|12|l holds independent of 
whether the ancilla has been measured or not, and 
Eq. H13|) follows. Hence 11'^ is independent of uj. 

To avoid a circular argument, we need to show 
that U'y^ is also independent of the probability dis- 
tribution TT = {pi}. As shown in the Appendix, 
any superposition of probability distributions can be 
rewritten as a single effective distribution. That is, 
by a redefinition of the ancilla states on Bob's side, 

we can rewrite l^'jisi''^)) of Eq. (O as 



(14) 



Substituting Eq. into Eq. we see that 

U'a might depend on n through ujj{n). But that is 
not possible since we have already proved that U'^ 
is independent of uii for all i [see Eq. ((T^ ]. Hence 
the EPR cheating transformation U'^ does not de- 
pendent on TT. QED. 

Therefore in a concealing QBC protocol, the 
cheating unitary transformation Ua is independent 
of any secret probability distributions chosen by 
Bob, and Alice can calculate Ua without knowing 
Bob's particular choices. In fact, according to the 
corollary proven in the Appendix, Ua cannot depend 
on any probability distribution (specified or secret) 
generated by Bob. This contradicts the claim that, 
to be able to cheat, Alice must know every detail of 
the protocol, including all the probability distribu- 
tions generated by Bob, so that no unknown param- 



(b) 
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eter is allowed in 

Conversely, if in any protocol the cheating unitary 
transformation is claimed to depend on a secret pa- 
rameter uj chosen by Bob, then the protocol must 
be non-concealing under closer scrutiny. Thus our 
result eliminates a potential loophole in the no-go 
theorem. 

In summary, we find that there is nothing wrong 
with secret parameters in QBC. We prove that in 
a concealing protocol, the cheating unitary trans- 
formation is independent of any parameters secretly 
chosen by Bob. Our result shows that the original 
proof of the no-go theorem j2„ 3, 4, 5] was based on 
an incorrect assumption. Nevertheless, even with se- 
cret parameters, unconditional security remains im- 
possible within the framework adopted by the no-go 
theorem. 

Appendix 



Suppose Bob chooses an unitary operator in {14} 
with a probability distribution Ui = {qik\ and ap- 
plies it to a state \(j)AB)i such that 
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As is well known, if Vk is not disclosed, Bob can 
postpone (or purify) his decision by entangling with 
a set of orthonormal ancilla states {|^fe)}, so that 
instead of IV'ab), he generates 

|^'Ai3(w^)) ^^yg^lCO^fel-^As). (16) 



Likewise, if uji is not disclosed. Bob can also purify 
his choices with another probability distribution tt = 
{pi\, such that 

i 

= ^VPlV9^lx»)ia)^fcl0AB),(18) 

i.k 

where {|xi)} is another set of orthonormal ancilla 
states. 

Theorem 2 Purifying a probability distribution 
[in Eq. (|17ll ] is equivalent to picking a new effective 
one [in Eq. ltTH|l ]. 



Proof Define 



so that 



k 

On the right hand side of Eq. H18|l . we write 



(19) 



(20) 



^y/Piqik \Xi) J(l'k^\JP'i<l'ik/q'k\Xt) 



q'kWk), (21) 



where 



\Xk) 



^Jp^<I^k/q'k\ 



(22) 



Note that the IXfc)'^ ^'I'e normalized but not neces- 
sarily orthogonal. 

Substituting Eq. |(2U into Eq. lfTH|) . we get 



WABh 

k 

= T.\Rk\Q^k\<lyAB), (23) 
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where 

iQ^lXk^k) (24) 

are the new orthonormal ancilla states. Comparing 
with Eq. (Uni, we obtain the desired resuh 

- \^ab{cjA^))), (25) 

where ujj{n) = {g^,} is the new effective probabihty 
distribution. 

Using the above resuh, we can prove the foUowing 
corollary: 

Corollary It is in general not meaningful to spec- 
ify a probability distribution to an untrustful party 
in any quantum protocol, because he/she can always 
cheat. 

Proof Suppose the protocol specifies that Bob 
should take certain action T4 on each qubit (or group 
of qubits) in his possession according to a probability 
distribution Uj = {q^.}. According to the theorem 
just proven, he can always generate a superposition 
of distributions with appropriately chosen Pi's, such 



that the effective distribution is ujj [see Eqs. (|17l 
I25|l ]. Obviously Bob would have no problem passing 
any checks concerning Uj . In general some qubits are 
measured and discarded in the checking procedure. 
For each of the remaining qubits. Bob could either 
stay with ujj, or he could measure the ancilla states 
{|Xi)} in Eq. (|17|l to obtain a new distribution uji 
which is not necessarily equal to ujj. For a large 
number of qubits, the probability that ojj is obtained 
for every qubit is exponentially small. Hence it is 
not meaningful to specify a probability distribution 
to an untrustful Bob, because one can never be sure 
that he is honest. 
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